How the celebrity hack could have been done

September 1, 2014

So there’s this rumour that Apple iCloud have been hacked and a lot of celebrities privates photos are being leaked which is quite evident. The leak started the at 4chan.org, Sunday, at around 4pm. However very little evidence seem to be public (at the time of writing). So we’ll try to clarify what may have happened.

Disclaimer: We have no proof on our assumptions, so take this post with a grain of salt. The brands mentioned don’t necessarily have to be involved.

How iPhone and iCloud sync work

iPhones synchronizes about everything automatically with iCloud for backup and device-sharing purposes. That includes the images taken with the camera. Whenever someone sends an MMS to an iPhone user, that image won’t get synchronised out-of-the-box. The user has to manually store the image to their collection of photos for the synchronization to take place. This means that the user has to either take the photo themselves (to get it stored in the Camera Roll), or send it to a third party who in turn stores it on their device with synchronization activated.

Brute force of Apple ID

This proof of concept, iBrute first appeared on Github two days ago (2014-08-30). It allows an attacker to run a dictionary attack against an Apple ID without the restrictions of captchas. This means that an attacker can quickly iterate thousands of email-addresses with a set of common passwords to try gaining access to accounts. With a bit of luck, the attacker may successfully compromise the user’s Apple ID, hence gaining access to iCloud and everything related to the Apple account.

According to the statistics generated by Mark Burnett, 0.5% use the password “password”. The wordlists provided on his blog contain the top 10.000 passwords (used by 30% of all users) should provide the attacker with enough power to crack a big set of users.

Reused passwords and old database dumps

A potential theory, is that the attacker have gathered publicly disclosed database dumps from hacked websites, cracked the passwords and tried the third party credentials against Apple ID. According to Sophos 2013, approximately 55% of all users reuse their passwords everywhere. It should be noted that this method will be faster to perform in theory, as it only requires one password instead of a set of 10.000. With a bit of manual work the attacker may launch targeted attacks towards whatever group of his liking (which now appear to be female celebrities). This may very well change until the source of the problem is resolved.

Emails also leak regularly through various means. There’s a bunch of websites with username (and email) enumeration issues. Emails are predictable in nature. The attacker could just as well have guessed the emails, tried a set of passwords, and relied solely on luck to compromise the accounts.

It may not be iCloud

As the images first appeared on 4chan, which automatically removes exif meta data. That means, no real evidence can be extracted from the images alone. Evidence such as:

Which device took the picture (was it really an iPhone?)

When the picture was taken

If it was edited by for example Photoshop

Etc

What’s interesting about this leak, is that not all pictures appear to feature iPhones. Dropbox have similar capabilities as iCloud when it comes to cross device sharing. E.g, Dropbox also have their own photo sharing feature. I’ll leave it at that.

If it truly is iCloud that’s the problem, then there’s no notably chance of private videos to leak since My Photo Stream won’t sync videos. The original uploader claims to have videos which means that either it’s not from just iCloud or the uploader is trying to scam people to get bitcoins.

Beware of scams

People hoping to get more pictures should be wary about scam attempts. Scammers are trying to make users send bitcoins for the exchange of more images. Some attempts may be “legit” while others (most) probably are scam.

It’s an unnecessary risk to have embarrassing photos laying around. If you want to keep them, store them offline. Even though you delete an image on your iPhone it may not be deleted on iCloud or other vendors.

The truly paranoid could checkout the the security practices of their cloud providers. The same tips should be sufficient for other vendors as well.

If you want to check the security of your own website, give Detectify a try!